The present invention, in some embodiments thereof, relates to detecting potential unauthorized operations in a protected network, and, more specifically, but not exclusively, to detecting potential unauthorized operations in a protected network by monitoring interaction between dynamically updated deception data objects deployed in the protected system and deception applications hosted by a decoy endpoint.
Organizations of all sizes and types face the threat of being attacked by advanced attackers who may be characterized as having substantial resources of time and tools, and are therefore able to carry out complicated and technologically advanced operations against targets to achieve specific goals, for example, retrieve sensitive data, damage infrastructure and/or the like.
Generally, advanced attackers operate in a staged manner, first collecting intelligence about the target organizations, networks, services and/or systems, initiate an initial penetration of the target, perform lateral movement and escalation within the target network and/or services, take actions on detected objectives and leave the target while covering the tracks. Each of the staged approach steps involves tactical iterations through what is known in the art as observe, orient, decide, act (OODA) loop. This tactic may present itself as most useful for the attackers who may face an unknown environment and therefore begin by observing their surroundings, orienting themselves, then deciding on a course of action and carrying it out.